Today's sophisticated web exploit kits use polymorphic techniques to obfuscate each attack instance, making content-based signatures used by network intrusion detection systems far less effective than in years past. A dynamic analysis, or honeyclient analysis, of these exploits plays a key role in initially identifying new attacks in order to generate content signatures. While honeyclients can sweep the web for attacks, these honeyclients generally take significant resources to implement and any blacklists generated from these sweeps may take days or even weeks to reach network operators. This leaves network operators dependent on third-party signatures that arrive too late, or not at all.
Accordingly, there exists a need for improved methods, systems, and computer readable media for detecting malicious network traffic.